DATA PROTECTION LAW, 2017 –IN FORCE NOW
The Cayman Islands’ Data Protection Law, 2017 (DPL) came into force on 30 September 2019. Cayman entities that have not already done so should take immediate steps to ensure they understand their obligations under the new law.
Policies and procedures should be put in place to ensure the proper protection of all personal data under the Cayman entity’s control and to create an effective governance regime for approving, overseeing, implementing and reviewing those policies. With reputations and criminal liability at stake, Cayman entities need to get it right.
Personal data is defined widely under the law to include any data relating to a living individual which allows that individual to be identified. Under the DPL, personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the data subject in advance. Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing should only be undertaken if fresh consent is obtained or there is another legal ground authorising that processing.
Data controllers (those entities or individuals who alone or jointly with others determine the purposes, conditions and manner in which any personal data are, or are to be, processed) are required to set out the purposes for which personal data is being collected and details of whom that data may be shared with.
Third Party Service Providers
In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of personal data are made to third parties. There is no substitute for proper due diligence on the systems, policies and procedures of those providers to ensure that personal data is handled appropriately and securely. Regular physical audits and independent testing of a service provider’s controls would also be advisable.
Contractual provisions should be put in place between the Cayman entity (as the data controller) and the third party service provider (as data processor) to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that loss containment and recovery practices are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited without the prior approval of the Cayman entity, as applicable.
The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Cayman entities will need to have policies and procedures in place to manage these requests. The law also obliges businesses to cease processing personal data once the purposes for which that data has been collected have been exhausted.
Prescribed data retention periods are not set out in the DPL but an analysis will need to be undertaken to determine how long data should be kept for. Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.
Implementing a data protection compliance programme involves engaging with the right stakeholders and creating an effective governance regime for approving, overseeing, implementing and reviewing the various policies. A coordinated chain of command should be developed, together with written reporting procedures, authority levels and protocols including seeking and complying with legal advice. The appointment of official roles such as a Data Protection Officer is not mandatory under the DPL but is also recommended.
Breaches of the DPL could result in fines of up to Cl$100,000 (US$122,000) per breach, imprisonment for a term of up to 5 years, or both. Other monetary penalties of up to Cl$250,000 (US$305,000) are also possible under the law. The Office of the Ombudsman, which has responsibility for enforcing the new law, has issued a Guide for Data Controllers to assist with the implementation process.
Protecting personal data is now business critical for Cayman entities. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to a business following a breach could be devastating. Appleby would be pleased to assist any persons seeking advice on complying with the requirements of DPL. Please contact a member of our Regulatory Team or your usual Appleby contact.
Impact on the investment funds industry
The average investment fund potentially generates and retains a large amount of personal data. Fund managers may also hold proprietary research and investment strategies, proprietary and personal information about markets, companies and individuals, high value email and contact lists and net worth information for individuals.
While it is very unlikely that a fund manager will use personal data other than for the purposes of processing an investment and meeting legitimate reporting and record keeping obligations, the fund must set out the purposes for which personal data is being collected and details of whom that data may be shared with.
Recommended best practice would be for this information to be set out in a separate privacy notice which can be provided with the offering memorandum and subscription documents.
Directors and Officers of Cayman Companies and LLCs Now Public
The Companies (Amendment) Law, 2019 has introduced a new section 55A that requires the Registrar of Companies to make a list of the names of the directors and alternate directors (if any) of a company available for inspection by any person, with Schedule 5 (Fees) now including a fee of $50 payable for each inspection of that list. Equivalent requirements apply in respect of managers of an LLC. Inspection of the list of directors/managers will be facilitated at a kiosk at the Office of the Registrar. The lists will not be accessible online. These requirements came into force on 1 October 2019.